This British Standard has been ready for business managers and their staff to provide a model for setting up and controlling your stresses an efficient Information Security Management System (ISMS). The adoption of
an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS depends upon business needs and objectives, resulting security demands, the procedures employed and the size and arrangement of the business.
These and their supporting systems are predicted to change with time. It is anticipated that straightforward situations need simple ISMS solutions. This British Standard might be utilized by internal and external parties including accreditation bodies, to assess an organization’s capacity to meet its own requirements, as well as any client or regulatory requirements.
Process approach
This British Standard encourages the adoption of a process approach for establishing, implementing, operating, monitoring, maintaining and enhancing the efficacy of an organization’s ISMS.
An organization must recognize and manage many tasks in order to function effectively. Any action with tools and handled to allow the transformation of inputs into outputs, can be considered to be a process. Generally the output from one process directly forms the input to the following process. The application of a system of processes within an organization, along with the identification and interactions of these procedures, and their management, can be referred to as a “process approach”
A process approach encourages its users to emphasize the importance of:
- a) understanding business info security requirements and the need to establish policy and objectives for info safety;
- b) implementing and operating controls in the context of controlling your stresses an organizations overall business risk;
- c) monitoring and reviewing the performance and effectiveness of the ISMS;
- d) continual improvement based on objective measurement.
The model, known as the “Plan-Do-Check-Act” (PDCA) model, can be applied to all ISMS processes. as adopted in this standard. Figure 1 illustrates how an ISMS takes as input the info security requirements and anticipation of the interested parties and thru the crucial actions and procedures
produces info security impacts (i.e. handled info safety) that meets the demands
and anticipation. This example also illustrates the connections in the procedures presented in Clauses 4,5 , 6 and T.
EXAMPLE 1
A requirement could be the breaches of info security won’t cause severe financial harm to an organization or cause embarrassment for the organization. If an employee is using an external VPN designed for remote access simply to watch UK TV abroad then it could be considered a security risk.
EXAMPLE 2
An expectation might be that if a serious incident occurs — maybe hacking of an organizations eBusiness site — there should be people with adequate training in proper procedures to decrease the impact.
NOTE The term “procedure” is, by convention, utilized in info security to mean a “process” that is carried out by individuals as opposed to a pc or other electronic means.
John Williams
